Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

recommend semanage fcontext for selinux #1336

Closed
wants to merge 1 commit into from
Closed

recommend semanage fcontext for selinux #1336

wants to merge 1 commit into from

Conversation

immanetize
Copy link

@immanetize immanetize commented Aug 1, 2017
edited by jeff-matthews
Loading

Using chcon isn't ideal, better to set and apply a default policy. Files can end up with a 'wrong' label for all sorts of reasons (most commonly a mv, so I made a specific note about that) using chcon can be tedious. It's much more convenient post-deployment to run restorecon -R /path.

A bunch of webservers should have appropriate policy:

[root@magento ~]# grep httpd_exec_t /etc/selinux/targeted/contexts/files/file_contexts|grep bin
/usr/sbin/httpd(\.worker)?      --      system_u:object_r:httpd_exec_t:s0
/usr/sbin/apache(2)?    --      system_u:object_r:httpd_exec_t:s0
/usr/sbin/apache-ssl(2)?        --      system_u:object_r:httpd_exec_t:s0
/usr/share/jetty/bin/jetty.sh   --      system_u:object_r:httpd_exec_t:s0
/usr/sbin/nginx --      system_u:object_r:httpd_exec_t:s0
/usr/sbin/thttpd        --      system_u:object_r:httpd_exec_t:s0
/usr/sbin/php-fpm       --      system_u:object_r:httpd_exec_t:s0
/usr/sbin/cherokee      --      system_u:object_r:httpd_exec_t:s0
/usr/sbin/lighttpd      --      system_u:object_r:httpd_exec_t:s0
/usr/sbin/httpd\.event  --      system_u:object_r:httpd_exec_t:s0
/usr/bin/mongrel_rails  --      system_u:object_r:httpd_exec_t:s0
/usr/sbin/htcacheclean  --      system_u:object_r:httpd_exec_t:s0

... but it seems better not to go into it, so I simply changed ~"It will only work with Apache" to ~"ymmv". In practice, I'd say that a web server that wasn't shipped SELinux-friendly and appropriately confined should simply not be used in production, but this doc is not my soapbox :)

whatsnew
Replaced chcon commands with semanage and restorecon in the installation security section.

magento-cicd2 pushed a commit that referenced this pull request Oct 27, 2017
@keharper
Merge pull request #1336 from magento/kh_2.0-rest-typo
94bd152 
Fix typos
@jeff-matthews jeff-matthews changed the base branch from develop to master July 17, 2018 13:53
@magento magento deleted a comment from magento-cicd2 Nov 14, 2018
@jeff-matthews
Copy link
Contributor

Sorry for the long delay processing this @immanetize. Please update the 2.1 and 2.3 files and I'll merge this.

jeff-matthews
jeff-matthews requested changes Dec 13, 2018
View reviewed changes
guides/v2.0/install-gde/prereq/security.md
chcon -R --type httpd_sys_rw_content_t <your Magento install dir>/var
chcon -R --type httpd_sys_rw_content_t <your Magento install dir>/pub/media
chcon -R --type httpd_sys_rw_content_t <your Magento install dir>/pub/static
export mageroot="/path/to/your_magento_install_dir"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All these commands should be wrapped in code fences and separated by && so you can copy/paste the whole block and run it in a terminal.

>```bash
>export mageroot="/path/to/your_magento_install_dir"
>...
>```

guides/v2.0/install-gde/prereq/security.md

The preceding commands work only with the Apache web server. Because of the variety of configurations and security requirements, we don't guarantee these commands work in all situations. For more information, see:
The first command sets an environment variable to the root directory of your Magento installation directory, verify and substitute the correct path. The `semanage` commands set the default file context for directories that Magento needs to write to, and the `restorecon` command applies the contexts in policy to the files on disk.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The first command sets an environment variable to the root directory of your Magento installation directory, verify and substitute the correct path. The `semanage` commands set the default file context for directories that Magento needs to write to, and the `restorecon` command applies the contexts in policy to the files on disk.
The first command sets an environment variable to the root directory of your Magento installation directory. You must verify and substitute the correct path to your installation. The `semanage` commands set the default file context for directories that Magento needs to write to. The `restorecon` command applies the contexts in policy to the files on disk.

guides/v2.0/install-gde/prereq/security.md
The preceding commands work only with the Apache web server. Because of the variety of configurations and security requirements, we don't guarantee these commands work in all situations. For more information, see:
The first command sets an environment variable to the root directory of your Magento installation directory, verify and substitute the correct path. The `semanage` commands set the default file context for directories that Magento needs to write to, and the `restorecon` command applies the contexts in policy to the files on disk.

New files will then automatically inherit the context of the directory they are created in, and stay with the file when it moves. If you have a deployment method that creates files in a scratch directory then moves (ie `mv /home/frank/jar.css $mageroot/`) them into the web server's document root, you should use `restorecon` to restore the proper context to your files.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
New files will then automatically inherit the context of the directory they are created in, and stay with the file when it moves. If you have a deployment method that creates files in a scratch directory then moves (ie `mv /home/frank/jar.css $mageroot/`) them into the web server's document root, you should use `restorecon` to restore the proper context to your files.
New files inherit the context of the directory in which they are created and stay with the file when it moves. If you have a deployment method that creates files in a scratch directory and then moves them into the web server's document root (for example `mv /home/frank/jar.css $mageroot/`), you should use the `restorecon` command to restore the proper context to your files.

guides/v2.0/install-gde/prereq/security.md

New files will then automatically inherit the context of the directory they are created in, and stay with the file when it moves. If you have a deployment method that creates files in a scratch directory then moves (ie `mv /home/frank/jar.css $mageroot/`) them into the web server's document root, you should use `restorecon` to restore the proper context to your files.

This example is known to work with Apache, and may work with other packaged web servers, but because of the variety of configurations and security requirements, we don't guarantee these commands work in all situations. For more information, see:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This example is known to work with Apache, and may work with other packaged web servers, but because of the variety of configurations and security requirements, we don't guarantee these commands work in all situations. For more information, see:
This example is known to work with Apache and may work with other packaged web servers, but because of the variety of configurations and security requirements, we cannot guarantee these commands work in all situations. For more information, see:

@jeff-matthews jeff-matthews added the Major Update Significant original updates to existing content label Dec 13, 2018
@magento-cicd2
Copy link
Contributor

An admin must run tests on this PR before it can be merged.

@jeff-matthews jeff-matthews added the Waiting for Response Waiting for response from internal/external parties label Feb 12, 2019
@hguthrie
Copy link
Contributor

There has been no communication for some time; we are closing this pull request. If you have further comments and feedback, please create an issue or a new pull request. Thanks for taking the time to contribute to docs improvement!

@hguthrie hguthrie closed this Feb 19, 2019
@ghost
Copy link

ghost commented Feb 19, 2019

Hi @immanetize, thank you for your contribution!
Please, complete Contribution Survey, it will take less than a minute.
Your feedback will help us to improve contribution process.

@hguthrie hguthrie removed Waiting for Response Waiting for response from internal/external parties labels Feb 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeff-matthews jeff-matthews jeff-matthews requested changes

@szurek szurek szurek approved these changes

Assignees

@jeff-matthews jeff-matthews

Labels
2.x Major Update Significant original updates to existing content
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@immanetize @jeff-matthews @magento-cicd2 @hguthrie @szurek @jfrontain